NAVEX: Top 10 risk and compliance trends for 2022


Diversity, equity, and inclusion; prioritizing ESG; business continuity; and more highlight the latest edition of NAVEX’s annual list of risk and compliance trends worth monitoring.

Ransomware cover

CW case study to offer 360-degree view of ransomware attack


Learn through the eyes of the C-suite at Vulnerable Electric, a fictional private utility company impacted by a significant ransomware attack, as part of Compliance Week’s upcoming case study set to begin publishing Jan. 31.


Report: GDPR fines surpass $1B in 2021; breach notifications also rise


Nearly €1.1 billion (U.S. $1.2 billion) worth of fines have been issued against organizations in the past year for violations of the General Data Protection Regulation, according to the latest annual report by law firm DLA Piper.


Accellion to pay $8.1M in proposed data breach settlement


The Accellion data breach that last year affected a variety of private- and public-sector organizations and compromised the personal data of millions of individuals could be resolved in an $8.1 million class-action settlement.

Morgan Stanley

Morgan Stanley agrees to $60M settlement over compromised personal data


Morgan Stanley has agreed to establish a $60 million fund to settle a class-action lawsuit filed by nearly a dozen customers regarding personal data that was compromised when the bank decommissioned two wealth management centers.


DiMauro: Seven compliance areas to watch in 2022


If 2021 was about transition under the Biden administration, 2022 is looking as if it will be a year of action. CW Director of Compliance Programs & Training Julie DiMauro shares her list of key areas she expects to receive enhanced scrutiny in the year ahead.


Desjardins reaches $155M proposed settlement in data breach class action


Desjardins Group has reached a proposed C$201 million (U.S. $155 million) settlement agreement in a class-action lawsuit following a long-running data breach that ultimately compromised the personal information of nearly 10 million individuals in Canada and abroad.


Cybersecurity trends continue in 2021 audit committee transparency report


The most dramatic increase in audit committee disclosures in proxy statements for the second consecutive year was in responsibility for cybersecurity risk oversight, according to the latest report from the Center for Audit Quality and Audit Analytics.

Data Harvest

Survey: Benchmark your data protection controls

2021-12-14T21:15:00+00:00By Compliance Week

How does your company tackle data protection compliance? Share your insights with Compliance Week and BRYTER.


Ten things I’d like to see happen in 2022 (2021 in review)


ESG and cryptocurrency figure to be key topics in 2022, but we’re also keeping an eye on President Biden’s anti-corruption efforts, details on Amazon’s record GDPR fine, the status of Facebook’s first CCO, and more.


SEC 2022 rulemaking preview: Clarity to come on ESG, crypto?


In his first year leading the Securities and Exchange Commission, Gary Gensler has tipped his hand regarding stricter oversight of companies’ environmental disclosures and the cryptocurrency industry. Year 2 will likely see words turn to actions.

Privacy data access

NYDFS guidance addresses common MFA problems—and how to fix them


The New York State Department of Financial Services outlined common vulnerabilities in multi-factor authentication and how to address them from a cybersecurity risk management standpoint.

Digital banking

OCC report: Cyberattacks, pandemic among top bank risk areas in 2021


Banks and financial institutions regulated by the OCC faced elevated risks in 2021 from cyberattacks launched on them and their third parties, as well as compliance risks related to the pandemic, according to the agency’s latest report.

Capital One

Five compliance triumphs from 2021


A key CCO appointment, a company committed to transparency, and a bank that spent big on improving its AML controls highlight CW’s annual list of laudable ethics and compliance moments.


CPE Webcast: Myths, realities of compliance with CMMC 2.0

2021-12-07T14:00:00+00:00Provided by

The Department of Defense’s updated Cybersecurity Maturity Model Certification 2.0 program has led to much speculation about the impact to prime DOD contractors and their subcontractors.


​GoDaddy data breach affects 1.2M customers


Web hosting company GoDaddy announced an unauthorized third party obtained the email addresses and customer numbers of up to 1.2 million users after improperly accessing its Managed WordPress hosting environment.

Cybersecurity offices

Rule requires banks report significant ‘computer-security incidents’ within 36 hours


Federal banking regulators issued a rule that requires financial institutions to notify their regulator within 36 hours of a “computer-security incident” that materially affects their operation, ability to deliver services, or the stability of the financial sector.


The year of ransomware: How companies are boosting cybersecurity controls


High-profile ransomware events over the last year have prompted businesses to beef up cyber defenses through new investments, increased training, and more, according to our “Inside the Mind of the CCO” survey.


Treasury ransomware response: More sanctions, updated FinCEN guidance


The U.S. Treasury continued its crackdown on facilitators of ransomware payments, sanctioning a second virtual currency exchange and its affiliates and updating FinCEN guidance to help make financial institutions more aware of related red flags.


Robinhood data breach impacts 7 million customers


Robinhood announced a hacker obtained the email addresses or names of approximately seven million of its customers. Approximately 310 customers had their personal information exposed as part of the same breach.


Roisman: SEC should consider stricter cyber reporting for public companies, advisers


SEC Commissioner Elad Roisman says the agency should mull over whether to require public companies and investment advisers to perform the same kind of reporting, preparation, and planning for cyber incidents that FINRA requires of registered broker-dealers.

ICA to explore impact of ransomware on financial crime compliance

2021-10-27T14:50:00+01:00By GRC Announcements

The International Compliance Association will explore the impact of ransomware on financial crime compliance on Nov. 16 as part of a free webinar.

3x2 web graphic

Compliance Week National Conference is going back in person in May


Mark your calendars: Compliance Week’s National Conference in Washington, D.C. will be held in person for the first time in nearly three years from May 16-18, 2022.


FinCEN report: Ransomware SARs surge past 2020 totals


A Financial Crimes Enforcement Network report on financial trends in Bank Secrecy Act data found a greater number of SARs related to ransomware filed between January and June 2021 than during all of 2020.

United States cyber

How to respond to government’s renewed emphasis on cybersecurity


The Department of Justice’s new Civil Cyber-Fraud Initiative is the latest development to suggest companies’ cybersecurity defenses had better be up to snuff when doing business with the U.S. government or risk enforcement.


DOJ to enforce False Claims Act in regulating contractor data breaches


The Department of Justice will use the False Claims Act to pursue cases of cybersecurity-related fraud by government contractors and grant recipients—including claims against entities that fail to report breaches and hacks in a timely manner.

Neiman Marcus

Neiman Marcus data breach exposes personal info of 4.6M customers


Luxury retailer Neiman Marcus discovered last month a May 2020 data breach that exposed personal and financial information contained in the online accounts of approximately 4.6 million customers.

csiweb cyber poll cover img

White paper: 2021 Consumer Cybersecurity Poll Executive Report

2021-10-01T05:12:00+01:00Provided by

To uncover Americans’ top cybersecurity concerns, CSI partnered with The Harris Poll to survey more than 2,000 U.S. adults age 18 and above about their perceptions, fears and expectations related to cybersecurity.

Cybersecurity Best Practices for the Compliance Practitioner

Introducing: Cybersecurity training customized for compliance

2021-09-28T13:31:00+01:00By Darren R. Hayes, CW Cybersecurity Course Author

The professor who created CW’s first-ever self-directed learning module explains what compliance practitioners can expect to get out of the course—and why it’s an essential tool in an evolving cyber-risk landscape.


On-demand training: Protect your company from cyber risks


Take this self-directed, interactive course to deepen your understanding of cybersecurity risks and learn about the latest regulations to keep your organization compliant and prepared for today’s dangerous cyber-environment.

Treasury Department

Treasury sanctions virtual currency exchange as part of ransomware response


The U.S. Department of the Treasury announced “robust actions” to counter ransomware, including blocking the assets of a Russian virtual currency exchange that has facilitated payments for at least eight ransomware variants.


CPE Webcast: Defending yourself from ransomware third-party risks

2021-09-02T14:00:00+01:00Provided by

Ransomware continues to dominate headlines with no sign of slowing down. What started more than 30 years ago has become one of the most prevalent and lucrative cyberattacks that does not discriminate by company size, industry, or geography.


​SEC sanctions 8 over email breaches


The Securities and Exchange Commission penalized eight firms across three separate actions for breaches of employee email accounts that exposed the personal information of thousands of customers in each case.

Bank risk

Banking guidance: Six key areas of FinTech due diligence


Three federal banking regulators have released guidance offering tips and suggestions to community banks for conducting due diligence on potential FinTech partners.


CEO: T-Mobile ‘humbled’ by data breach, taking steps to prevent future attacks


T-Mobile CEO Mike Sievert lamented the recent breach of company servers that led to a hacker stealing the personal information of nearly 55 million customers, but said the company is “fully committed to take our security efforts to the next level.”


T-Mobile ups compromised customer account total to 55M


A “highly sophisticated” cyber-attack illegally accessed nearly 55 million customer records of mobile phone carrier T-Mobile, the largest such attack against the company that has been hit at least four previous times since 2018.


T-Mobile the least surprising data breach of 2021


Cyber-attacks catch most companies and their customers off guard, but T-Mobile, the victim of at least five data breaches since 2018, had many red flags indicating its vulnerability ahead of its latest incident.


Pearson fined $1M for misleading data breach disclosures


U.K.-based education company Pearson has agreed to pay $1 million as part of a settlement with the Securities and Exchange Commission for misleading investors regarding a 2018 data breach.


FINRA notice outlines key areas for supervising third parties


The Financial Industry Regulatory Authority issued a notice on compliance deficiencies arising from firms’ relationships with vendors culled from examination findings.


What factors are driving change in your corporate investigations process?


A recent survey from Compliance Week and OpenText reveals while investigations and data volumes are on the rise, machine learning combined with external expertise may give companies the upper hand in accelerating response and results.

Vanessa Benavides index

Q&A: How Kaiser Permanente has handled change brought by COVID-19


Vanessa Benavides, chief compliance and privacy officer and senior VP at Kaiser Permanente, shares how the company adjusted its policies and procedures because of COVID-19 and the lessons she learned along the way.


Judge dismisses CCPA-related lawsuit against Walmart


A federal judge in California dismissed a lawsuit alleging a data breach at Walmart was a violation of the California Consumer Privacy Act, noting the plaintiff failed to prove a breach occurred.


CPE Webcast: Incident and breach management 101

2021-07-29T14:00:00+01:00Provided by

Today’s breach landscape is unprecedented and complex. Every organization is facing potential enforcement of many interconnected and overlapping laws in multiple jurisdictions, each with restrictive timelines. In this complex environment, it is not enough to have a response plan. Your organization needs a response system.


Robinhood Crypto anticipates $10M penalty for cyber, AML failures


Robinhood Markets said its cryptocurrency platform might face a penalty of “at least” $10 million from the New York State Department of Financial Services for anti-money laundering and cyber-security failures.


British Airways settles 2018 data breach class action


British Airways has settled one of the U.K.’s largest group actions after thousands of people sought compensation following a 2018 data breach that resulted in the airline being fined under the GDPR.


TPRM 2021: What to do before, during, and after a ransomware attack


Two risk and compliance practitioners opened their cyber-playbooks at CW’s TPRM virtual event, explaining how to identify and address vulnerabilities, establish transparency with vendors, and strengthen an organization’s incident management program.


Takeaways from NYDFS ransomware guidance


The New York State Department of Financial Services has issued guidance for regulated entities describing best practices for reducing the risk of a ransomware attack.

Linda Tuck Chapman

Pandemic effect on TPRM practices here to stay, expert warns


With many businesses still sorting through the new layers of risk that have emerged over the last 16 months, Linda Tuck Chapman of the Third Party Risk Institute shared her top areas of focus and more at CW’s virtual TPRM event.


Big week for breaches: McDonald’s, Carnival, and more


Multiple high-profile companies—including Carnival, Wegmans, McDonald’s, Volkswagen, and CVS—have confirmed in recent days they were either victims of a data breach or were alerted to a gap in their security controls.

Exposed files

First American Financial settles SEC charges for cyber-security failures


First American Financial Corp. reached a $487,616 settlement with the SEC for failing to maintain cyber-security disclosure controls and procedures that exposed more than 800 million title insurance records containing sensitive customer information.